urelas | 36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3

General

Target

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
Size

331KB
MD5

a77e24c20018b1ab66b58aa944c5de9c
SHA1

154763d2824785ac6e3167ecc4cd74ebe457c8ef
SHA256

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3
SHA512

10b0ee9b0378525cb0a23637a08c6b548009c11c12b7123302e514fd180734fcfb35454dabfd9042f35348983f07600e5bcf211e2f019d9b358159124a0fcd30
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisd:Nd7rpL43btmQ58Z27zw39gY2FeZh4w

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fonyk.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exetalua.exemodoic.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	talua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	modoic.exe

Executes dropped EXE 3 IoCs

Processes:

talua.exemodoic.exefonyk.exe

pid process

3612 talua.exe
948 modoic.exe
2536 fonyk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3612	talua.exe
948	modoic.exe
2536	fonyk.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

talua.execmd.exemodoic.exefonyk.execmd.exe36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	talua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	modoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fonyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fonyk.exe

pid	process
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe
2536	fonyk.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exetalua.exemodoic.exe

description	pid	process	target process
PID 1448 wrote to memory of 3612	1448	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	talua.exe
PID 1448 wrote to memory of 3612	1448	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	talua.exe
PID 1448 wrote to memory of 3612	1448	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	talua.exe
PID 1448 wrote to memory of 1104	1448	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	cmd.exe
PID 1448 wrote to memory of 1104	1448	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	cmd.exe
PID 1448 wrote to memory of 1104	1448	36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe	cmd.exe
PID 3612 wrote to memory of 948	3612	talua.exe	modoic.exe
PID 3612 wrote to memory of 948	3612	talua.exe	modoic.exe
PID 3612 wrote to memory of 948	3612	talua.exe	modoic.exe
PID 948 wrote to memory of 2536	948	modoic.exe	fonyk.exe
PID 948 wrote to memory of 2536	948	modoic.exe	fonyk.exe
PID 948 wrote to memory of 2536	948	modoic.exe	fonyk.exe
PID 948 wrote to memory of 4716	948	modoic.exe	cmd.exe
PID 948 wrote to memory of 4716	948	modoic.exe	cmd.exe
PID 948 wrote to memory of 4716	948	modoic.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe
"C:\Users\Admin\AppData\Local\Temp\36d7e058cf340be06eedf13fa2180bdc4b570a5166113096825352a3d67d38c3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\talua.exe
  "C:\Users\Admin\AppData\Local\Temp\talua.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\modoic.exe
    "C:\Users\Admin\AppData\Local\Temp\modoic.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\fonyk.exe
      "C:\Users\Admin\AppData\Local\Temp\fonyk.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
913e3ad0783d12e1678c085235cd0e09

SHA1
f28b28def55c12fa3167bf5c275e346dcd50407e

SHA256
3250f978a639914589d3f8f35e931b7ae7a9fe9a7838b3314eccf4399b0af7ee

SHA512
69f576fc4888955142a3e7f195da7deda2bf80d65fc548486dad367da31679674710cd263d90d709798dae7802cc244b82a85894afa72d1ef53a39aac7e8ddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
4af5ce80e4190625e8325667743a9939

SHA1
8ffa27c1fb739f081671d7dd1b3ce76b4a965049

SHA256
9123c988cf2e0216092aef20db377731649c28dd50dc116041dad06df741ca70

SHA512
e2347bfdac92a02539098c44c90d35ae6c885b7b3ad219dcc802d73f12ace5599df111dd003aed534373f8b012f92c705ca10f74f4ef87710235909736ca9fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fonyk.exe

Filesize
136KB

MD5
7a89394d0f36d4a6590d8632829824e5

SHA1
21f730d0fa4252c1c414facf6902d377dc1c568e

SHA256
e942862d7a974fb012b190773a967a802bbe6ea99212ee83e44676716462d488

SHA512
9bd30596500ec37400ed55a4a7a9d756da87e96eadb01be4a1085dd90df3fd903c187b70debfd9e87c5be88e8b6873e6517863b9f32a040422d21260ff50b567

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c2b21075b9b8a317ceab025b9a142aaa

SHA1
03ac5efb73cd8d17505ccba1336b28e38f928a63

SHA256
d491520676f8a954e1c11f9a5723c0dbe3ed2d09885578b300df9d0c8c141668

SHA512
30247f810bddaed98a2fb658c489ac9e09a054c99d15484b4a78aa697111f6c6700c70fe72adf3e5027962d087e4a38d920f95d81cd0ed45552726bb9d948e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\talua.exe

Filesize
331KB

MD5
a1846a047cc3e9475bb501b1d486279f

SHA1
b67d1a39a6070ea4d071e09b6cd22aa9db1f4941

SHA256
27fd41c8978267c9430fa38665e46a5d3ca0d8a9a4138cec8a3122fd4332190c

SHA512
39d874395e6709ae8b0ad111cacf99311cf6e6d212132665f0507dd1b9f45d11bb9dfc0a0b02119882f0ed7c2cb4122aa1990f412824dbb31f195aa8e46f9ced

Download Submit
memory/948-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/948-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1448-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1448-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2536-37-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/2536-40-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/2536-38-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/2536-44-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/2536-45-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/2536-46-0x0000000000CE0000-0x0000000000D6C000-memory.dmp

Filesize
560KB

Download
memory/3612-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads